From: Linus Nordberg <linus@nordu.net>
Date: Fri, 14 Sep 2012 11:07:06 +0000 (+0200)
Subject: Document the effects of RADSECPROXY-43.
X-Git-Tag: radsecproxy-1.6.1~2
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=radsecproxy.git;a=commitdiff_plain;h=9885649577c4b34e65ea65f0a0a3deb3f13451b4

Document the effects of RADSECPROXY-43.

https://project.nordu.net/browse/RADSECPROXY-43
---

diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 44ea1c7..1552b6b 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -544,6 +544,15 @@ blocktype name {
       <literal>default</literal>. If the specified TLS block name does
       not exist, or the option is not specified and none of the
       defaults exist, the proxy will exit with an error.
+
+      NOTE: All versions of radsecproxy up to and including 1.6
+      erroneously verify client certificate chains using the CA in the
+      very first matching client block regardless of which block is
+      used for the final decision. This was changed in version 1.6.1
+      so that a client block with a different <literal>tls</literal>
+      option than the first matching client block is no longer
+      considered for verification of clients.
+
     </para>
     <para>
       For a TLS/DTLS client, the option